UPDATE - VMware is urging administrators to immediately patch a critical-severity authentication bypass vulnerability, which if exploited could allow a remote attacker with network access to a vulnerable user interface to skip authentication and obtain administrative privileges.
The vulnerability (CVE-2022-31656) exists in VMware’s Workspace ONE Access (formerly Identity Manager) identity management solution - which has been impacted by several serious VMware vulnerabilities over the past year - and vRealize Automation, an infrastructure management platform for configuring IT resources and automating container-based application delivery. Currently, VMware said it has not observed exploitation of the vulnerability in the wild. Further details of the flaw are scant; however, Petrus Viet with VNG Security, who discovered the flaw, said that a technical writeup and proof-of-concept exploit are “soon to follow.”
“Given the history of attacks targeting VMware Workspace ONE instances, organizations should apply these patches immediately,” said Claire Tills, senior research engineer with Tenable's Security Response Team, in a Tuesday alert. “This urgency is compounded by the fact that a proof-of-concept is forthcoming from the researcher who discovered the flaw.”
A VMware spokesperson said that CVE-2022-31656 is a variant of CVE-2022-22972, an authentication bypass vulnerability patched by VMware in May along with a privilege escalation error (CVE-2022-22973). The flaw, also in VMware Workspace ONE Access and vRealize Automation, was highlighted by the Cybersecurity and Infrastructure Security Agency (CISA) in an emergency directive that warned that threat actors would quickly develop methods for exploitation and ordered federal civilian executive branch agencies to apply updates by May 23.
"When a security researcher finds a vulnerability, it often draws the attention of other security researchers who bring different perspectives and experience to the research," said the VMware spokesperson. "CVE-2022-31656, reported by PetrusViet, is a variant of CVE-2022-22972. The update provided in our previous security advisory on May 18 removes CVE-2022-22972 from the environment, but it does not remove this new variant, CVE-2022-31656."
“On its own, an attacker could achieve administrative access with CVE-2022-31656, but from there, they would be able to exploit several other vulnerabilities patched in this release that allow for remote code execution and full system compromise."
Along with the authentication bypass flaw, VMware on Tuesday also issued patches for nine other vulnerabilities across its products, including an important-severity JDBC injection remote code execution flaw (CVE-2022-31658) in VMware Workspace ONE Access and vRealize Automation and an important-severity SQL injection remote code execution bug (CVE-2022- 31659) in VMware Workspace ONE Access. Both of these flaws could be exploited by an attacker with administrator privileges and network access, according to VMware. Tills noted that the authentication bypass achieved with CVE-2022-31656 would allow attackers to exploit these two authenticated remote code execution flaws addressed in the release.
“The biggest concern with this flaw is its potential for use in exploit chains,” said Tills. “On its own, an attacker could achieve administrative access with CVE-2022-31656, but from there, they would be able to exploit several other vulnerabilities patched in this release that allow for remote code execution and full system compromise. The main mitigating factor is that the attacker would need network access to the user interface.”
While workarounds are available for CVE-2022-31656, VMware recommends that organizations apply patches.
“These vulnerabilities are authentication bypass, remote code execution, and privilege escalation vulnerabilities,” said Bob Plankers, staff security and compliance architect at VMware. “It is extremely important that you quickly take steps to patch or mitigate these issues in on-premises deployments. If your organization uses ITIL methodologies for change management, this would be considered an ‘emergency’ change.”
This article was updated on Aug. 3 to include a VMware spokesperson's statement.